image-blog-qac-2-4-release
November 6, 2018

Helix QAC 2.4 Adds CWE C++ Compliance Module

Static Analysis
Security & Compliance

You can now check your C++ code against the CWE software weakness list in Helix QAC. The latest release — Helix QAC 2.4 — adds a CWE C++ compliance module option.

Helix QAC also has compliance modules for:

  • MISRA C and C++
  • AUTOSAR C++
  • CERT C and C++
  • CWE C
  • HIC++
  • JSF AV C++

CWE C++ Compliance Module

CWE is a community-developed list of software weaknesses. Many development teams use the CWE list to identify security weaknesses in their code.

CWE is not a coding standard. But by checking code that does not contain these weaknesses, developers can strengthen the security of their code.

Helix QAC already has a compliance module for checking C code against the CWE list. It maps C diagnostics against CWE weaknesses in C.

C++ is increasing in popularity for high integrity embedded systems. That’s why Helix QAC for C++ now has CWE compatibility, too.

How It Works

This new module identifies areas in C++ code that have weaknesses included on the CWE list. Helix QAC gives you diagnostic messages where it detects weaknesses. And each diagnostic is mapped back to that particular CWE weakness.

Here’s an example.

image-blog-qac-cwe-cpp

This particular line of code violates CWE-481.

CWE-481:

Assigning instead of comparing

This type of weakness occurs when the code uses an operator for assignment when the intention was to perform a comparison.

More Examples of CWE C++ Weaknesses

The new module supports CWE weaknesses in software written in C++.

Here are some of the most important ones.

CWE-78:

Improper neutralization of special elements used in an OS command ('OS command injection')

CWE-120:

Buffer copy without checking size of input ('classic buffer overflow')

CWE-676:

Use of potentially dangerous function

Using the CWE C++ Compliance Module

You can use the new CWE C++ compliance module to identify security weaknesses in your code. This can help you improve security and fulfill requirements of customers (who may ask you to run these security checks).

You can also use it to supplement another compliance module, such as MISRA. The CWE C++ module will ensure that your code is secure. And the MISRA C++ module will ensure you comply with the coding standard — and fulfill requirements of functional safety standards.

Add CWE C++ Compliance Module

 

Additional Updates in Helix QAC 2.4

Helix QAC 2.4 also includes improves coverage for the AUTOSAR C++, MISRA C, and CERT C/C++ compliance modules. Plus, this release adds parser support for C11, as well as more modern C++ features. See what else is new >

To get started with the latest version of Helix QAC, contact support to request an upgraded license.

Request New Release

Not using Helix QAC yet? Request a trial >